CLAIMS 

What is claimed is: 

1. A method for validating a digital certificate within 
5 a data processing system, the method comprising: 
receiving a digital certificate; 
retrieving a certificate revocation list; 
extracting a first serial number from the digital 
certificate, wherein the first serial number has been 
10 associated with the digital certificate by a certifying 
authority; 

determining whether the first serial number matches 
a second serial number stored within the certificate 
revocation list; 

15 in response to a determination that the first serial 

number matches the second serial number, computing a 
first certificate fingerprint for the digital 
certificate; and 

comparing the first certificate fingerprint with a 

20 second certificate fingerprint stored within the 
certificate revocation list, wherein the second 
certificate fingerprint is associated with the second 
serial number. 

25 2. The method of claim 1 further comprising: 

in response to a determination that the first 
certificate fingerprint matches the second certificate 
fingerprint, invalidating the digital certificate. 
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3. The method of claim 1 further comprising: 

in response to a determination that the first 
certificate fingerprint does not match the second 
certificate fingerprint , validating the digital 
5 certificate. 

4 . The method of claim 1 wherein the digital 
certificate and the certificate revocation list are 
formatted according to the X.509 standard. 

10 

5. The method of claim 1 wherein the second certificate 
fingerprint is stored within an X.509 extension within 
the certificate revocation list. 

15 6. The method of claim 1 wherein the step of computing a 
first certificate fingerprint for the digital certificate 
uses a digest algorithm in accordance with a digest 
algorithm identifier stored in association with the 
second certificate fingerprint. 
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7. A method for revoking a digital certificate, the 
method comprising : 

receiving a serial number for a digital certificate, 
wherein the serial number has been associated with the 
5 digital certificate by a certifying authority; 

creating an entry in a certificate revocation list 
for the digital certificate, wherein the entry comprises 
the serial number for the digital certificate; 

computing a certificate fingerprint for the digital 
10 certificate; and 

storing the certificate fingerprint within the entry 
in the certificate revocation list for the digital 
certificate . 

15 8. The method of claim 7 wherein the digital 

certificate and the certificate revocation list are 
formatted according to the X.509 standard. 

9. The method of claim 7 wherein the certificate 

20 fingerprint is stored within an X.509 extension within 
the entry in the certificate revocation list for the 
digital certificate . 

10. The method of claim 7 further comprising: 

25 storing a digest algorithm identifier in association 

with the certificate fingerprint within the entry in the 
certificate revocation list for the digital certificate 
that identifies a digest algorithm that has been used to 
compute the certificate fingerprint. 
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11. An apparatus for validating a digital certificate 
within a data processing system, the apparatus 
comprising : 

receiving means for receiving a digital certificate; 
5 retrieving means for retrieving a certificate 

revocation list; 

extracting means for extracting a first serial 
number from the digital certificate, wherein the first 
serial number has been associated with the digital 
10 certificate by a certifying authority; 

determining means for determining whether the first 
serial number matches a second serial number stored 
within the certificate revocation list; 

computing means for computing in response to a 
15 determination that the first serial number matches the 

second serial number, a first certificate fingerprint for 
the digital certificate; and 

comparing means for comparing the first certificate 
fingerprint with a second certificate fingerprint stored 
20 within the certificate revocation list, wherein the 

second certificate fingerprint is associated with the 
second serial number. 

12. The apparatus of claim 11 further comprising: 

25 invalidating means for invalidating the digital 

certificate in response to a determination that the first 
certificate fingerprint matches the second certificate 
fingerprint . 
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13. The apparatus of claim 11 further comprising: 
validating means for validating the digital 

certificate in response to a determination that the first 
certificate fingerprint does not match the second 
5 certificate fingerprint. 

14. The apparatus of claim 11 wherein the digital 
certificate and the certificate revocation list are 
formatted according to the X.509 standard. 

10 

15. The apparatus of claim 11 wherein the second 
certificate fingerprint is stored within an X.509 
extension within the certificate revocation list. 

15 16. The apparatus of claim 11 wherein the computing 

means uses a digest algorithm in accordance with a digest 
algorithm identifier stored in association with the 
second certificate fingerprint. 
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17. An apparatus for revoking a digital certificate, the 
apparatus comprising : 

receiving means for receiving a serial number for a 
digital certificate, wherein the serial number has been 
5 associated with the digital certificate by a certifying 
authority; 

creating means for creating an entry in a 
certificate revocation list for the digital certificate, 
wherein the entry comprises the serial number for the 
10 digital certificate; 

computing means for computing a certificate 
fingerprint for the digital certificate; and 

first storing means for storing the certificate 
fingerprint within the entry in the certificate 
15 revocation list for the digital certificate. 

18. The apparatus of claim 17 wherein the digital 
certificate and the certificate revocation list are 
formatted according to the X.509 standard. 

20 

19. The apparatus of claim 17 wherein the certificate 
fingerprint is stored within an X.509 extension within 
the entry in the certificate revocation list for the 
digital certificate . 
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20. The apparatus of claim 17 further comprising: 

second storing means for storing a digest algorithm 
identifier in association with the certificate 
5 fingerprint within the entry in the certificate 
revocation list for the digital certificate that 
identifies a digest algorithm that has been used to 
compute the certificate fingerprint. 
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21. A computer program product in a computer readable 
medium for use in a data processing system for validating 
a digital certificate, the computer program product 
comprising : 

5 instructions for receiving a digital certificate; 

instructions for retrieving a certificate revocation 

list ; 

instructions for extracting a first serial number 

from the digital certificate, wherein the first serial 
10 number has been associated with the digital certificate 

by a certifying authority; 

instructions for determining whether the first 

serial number matches a second serial number stored 

within the certificate revocation list; 
15 instructions for computing, in response to a 

determination that the first serial number matches the 

second serial number, a first certificate fingerprint for 

the digital certificate; and 

instructions for comparing the first certificate 
20 fingerprint with a second certificate fingerprint stored 

within the certificate revocation list, wherein the 

second certificate fingerprint is associated with the 

second serial number. 

25 22. The computer program product of claim 21 further 
comprising : 

instructions for invalidating the digital 
certificate in response to a determination that the first 
certificate fingerprint matches the second certificate 

30 fingerprint. 
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23. The computer program product of claim 21 further 
comprising : 

instructions for validating the digital certificate 
in response to a determination that the first certificate 
5 fingerprint does not match the second certificate 
fingerprint . 

24. The computer program product of claim 21 wherein the 
digital certificate and the certificate revocation list 

10 are formatted according to the X.509 standard. 

25. The computer program product of claim 21 wherein the 
second certificate fingerprint is stored within an X.509 
extension within the certificate revocation list. 

15 

26. The computer program product of claim 21 wherein the 
instructions for computing a first certificate 
fingerprint for the digital certificate uses a digest 
algorithm in accordance with a digest algorithm 

20 identifier stored in association with the second 
certificate fingerprint . 
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27. A computer program product in a computer readable 
medium for use in a data processing system for revoking a 
digital certificate, the computer program product 
comprising : 

5 instructions for receiving a serial number for a 

digital certificate, wherein the serial number has been 
associated with the digital certificate by a certifying 
authority; 

instructions for creating an entry in a certificate 
10 revocation list for the digital certificate, wherein the 
entry comprises the serial number for the digital 
certificate ; 

instructions for computing a certificate fingerprint 
for the digital certificate; and 
15 instructions for storing the certificate fingerprint 

within the entry in the certificate revocation list for 
the digital certificate. 

28. The computer program product of claim 27 wherein the 
20 digital certificate and the certificate revocation list 

are formatted according to the X.509 standard. 

29. The computer program product of claim 27 wherein the 
certificate fingerprint is stored within an X.509 

25 extension within the entry in the certificate revocation 
list for the digital certificate. 
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30. The computer program product of claim 27 furthe 
comprising : 

instructions for storing a digest algorithm 
identifier in association with the certificate 
fingerprint within the entry in the certificate 
revocation list for the digital certificate that 
identifies a digest algorithm that has been used to 
compute the certificate fingerprint. 
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31. A data structure representing a certificate 
revocation list for use in a data processing system, the 
data structure comprising: 

a serial number of a revoked digital certificate; 



a certificate fingerprint for the revoked digital 
certificate . 

32. The data structure of claim 31 wherein the 



entries, wherein each entry corresponds to a revoked 
digital certificate, and wherein the serial number and 
the certificate fingerprint of the revoked digital 
certificate are stored within an entry. 
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and 
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certificate revocation list contains a plurality of 
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